There used to be so many ways of classifying government data it was difficult to ensure data protection. Now there are much clearer rules.<\/p>\n
Potential security breaches are an essential consideration for any organisation rolling out innovative new digital services, and the public sector must lead by example.<\/p>\n
Until recently, rules around data security and privacy were complex and confusing. They were also increasingly unfit for purpose in the modern technology-enabled world with all its cloud-based service possibilities. This mismatch threatened to curtail the government\u2019s own ambitions for a digital-first administration and public service.<\/p>\n
But the situation is improving as simpler and clearer rules are set down about how to keep sensitive data safe.<\/p>\n
New European data privacy rules, expected to be finalised as regulation in 2017, aim to provide a single set of rules on data protection across the European Union. The security-related requirements include:<\/p>\n
Penalties for violating EU data protection rules range up to \u20ac1m.\u00a0In the UK, the government has made its own controls on public sector data handling clearer and less onerous.
\nPreviously, there were so many different ways of classifying government data that it was almost impossible for organisations to decide what could safely be held and managed where. The new government security classification policy (GSCP) and CESG\u2019s cloud security principles (CSP), published last year, define much simpler data categories, and allow public sector organisations to interpret the levels of control needed for their own particular circumstances.<\/p>\n
Public sector data is now broken down into three categories: official, secret and top secret. As much as 87% of data is classified as official, which frees government organisations to treat it with best-practice controls used by large commercial enterprises.<\/p>\n
This improved clarity should help drive new public sector innovation, making it easier to use cloud-based technology services, for example \u2013 the CSPs offer guidance on how to ensure cloud solutions are appropriate for data classified as official.<\/p>\n
\u201cPublic sector organisations are under increased pressure to generate cost savings, increase efficiencies and improve services, which is partly why the government has decided to embrace the potential of cloud computing,\u201d notes Mark Thompson, privacy practice leader at KPMG.<\/p>\n
\u201cTaken together, the GSCP and the CSP can be seen as a concerted effort to prevent security being used as a blocker towards uptake,\u201d comments Daniel Jones, senior analyst for defence and security at Kable, a public sector technology intelligence firm.<\/p>\n
Potential suppliers promoting their services via the government G-Cloud must assert which of the 14 security principles they comply with. These include issues such as how data is protected when it is stored and when it is in transit, for example, is it encrypted as it passes across networks?<\/p>\n
Suppliers must self-assess against each measure, providing complete transparency. Public sector organisations must also check their own particular compliance requirements \u2013 for example, if handling NHS medical data \u2013 and confirm that their trusted technology provider holds the appropriate certifications and accreditations.<\/p>\n
Further considerations include whether data is segregated from other organisations\u2019 content, and the provider\u2019s policy for responding to law enforcement requests to access data. Vigilance must be ongoing. KPMG\u2019s Thompson comments: \u201cThere needs to be an ongoing business relationship with the cloud provider, which must be able to adapt as the privacy and security landscape changes.\u201d<\/p>\n
New rules on security are there to help, not hinder, progress. Improving clarity over requirements, and how suppliers help meet them, will help the public sector make safer choices and innovate more confidently.<\/p>\n
For more information, download the Cyber Security Demystified eBook<\/a><\/p>\n